ADD_DEFINITIONS("-DAPI_VERSION=\"$(API_VERSION)\"")
ADD_DEFINITIONS("-DSMACK_ENABLED")
ADD_DEFINITIONS("-DDPL_LOGS_ENABLED") # Enable LOGS in security-server2
+#ADD_DEFINITIONS("-DUSE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID") #use old security-server 1.0 for check-privilege-by-pid API
SET(TARGET_SECURITY_SERVER "security-server")
SET(TARGET_SECURITY_CLIENT "security-server-client")
ln -s ../security-server.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server.socket
ln -s ../security-server-data-share.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-data-share.socket
ln -s ../security-server-get-gid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket
+ln -s ../security-server-privilege-by-pid.socket %{buildroot}/usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
%clean
rm -rf %{buildroot}
%attr(-,root,root) /usr/lib/systemd/system/security-server-data-share.socket
%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-get-gid.socket
%attr(-,root,root) /usr/lib/systemd/system/security-server-get-gid.socket
+%attr(-,root,root) /usr/lib/systemd/system/sockets.target.wants/security-server-privilege-by-pid.socket
+%attr(-,root,root) /usr/lib/systemd/system/security-server-privilege-by-pid.socket
%{_datadir}/license/%{name}
${SERVER2_PATH}/service/data-share.cpp
${SERVER2_PATH}/service/echo.cpp
${SERVER2_PATH}/service/get-gid.cpp
+ ${SERVER2_PATH}/service/privilege-by-pid.cpp
)
SET_SOURCE_FILES_PROPERTIES(
${SECURITY_SERVER_PATH}/server2/client/client-common.cpp
${SECURITY_SERVER_PATH}/server2/client/client-shared-memory.cpp
${SECURITY_SERVER_PATH}/server2/client/client-get-gid.cpp
+ ${SECURITY_SERVER_PATH}/server2/client/client-privilege-by-pid.cpp
${SECURITY_SERVER_PATH}/client/security-server-client.c
${SECURITY_SERVER_PATH}/communication/security-server-comm.c
${SECURITY_SERVER_PATH}/util/smack-check.c
return label;
}
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
SECURITY_SERVER_API
int security_server_check_privilege_by_pid(int pid, const char *object, const char *access_rights)
{
retval = convert_to_public_error_code(retval);
return retval;
}
+#endif
return SECURITY_SERVER_SUCCESS;
}
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
//VERSION: 0x01
//MSG_ID: 0x1f (SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST)
//DATA_SIZE: strlen(object) + 1 + strlen(access_rights) + 1
return retval;
}
+#endif
/* Send PID check request message to security server *
*
return SECURITY_SERVER_SUCCESS;
}
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights)
{
int retval;
return retval;
}
+#endif
/* Receive pid request packet body */
/* Table argv and content will be freed by function caller */
return SECURITY_SERVER_SUCCESS;
}
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int recv_pid_privilege_response(int sockfd, response_header *hdr)
{
int retval;
return SECURITY_SERVER_SUCCESS;
}
-
+#endif
int recv_pid_response(int sockfd, response_header *hdr, int *pid)
{
int retval;
return SECURITY_SERVER_SUCCESS;
}
+
int recv_pwd_response(int sockfd, response_header *hdr,
unsigned int *current_attempts,
unsigned int *max_attempts,
#define SECURITY_SERVER_MSG_TYPE_SET_PWD_VALIDITY_RESPONSE 0x1c
#define SECURITY_SERVER_MSG_TYPE_SMACK_REQUEST 0x1d
#define SECURITY_SERVER_MSG_TYPE_SMACK_RESPONSE 0x1e
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST 0x21
#define SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_RESPONSE 0x22
+#endif
#define SECURITY_SERVER_MSG_TYPE_EXE_PATH_REQUEST 0x23
#define SECURITY_SERVER_MSG_TYPE_EXE_PATH_RESPONSE 0x24
#define SECURITY_SERVER_MSG_TYPE_GENERIC_RESPONSE 0xff
int send_smack(int sockfd, char *label);
int recv_smack_response(int sockfd, response_header *hdr, char *label);
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int send_pid_privilege_request(int sockfd, int pid, const char *object, const char *access_rights);
int recv_pid_privilege_request(int sockfd, int datasize, int *pid, char **object, char **access_rights);
int recv_pid_privilege_response(int sockfdi, response_header *hdr);
+#endif
int send_launch_tool_request(int sock_fd, int argc, const char **argv);
int recv_generic_response(int sockfd, response_header *hdr);
error:
return retval;
}
-
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
int process_pid_privilege_check(int sockfd, int datasize)
{
//In this function we parsing received PID privilege check request
return retval;
}
+#endif
int process_tool_request(int client_sockfd, int server_sockfd)
{
process_smack_request(client_sockfd);
break;
+#ifdef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
case SECURITY_SERVER_MSG_TYPE_CHECK_PID_PRIVILEGE_REQUEST:
SEC_SVR_DBG("%s", "PID privilege check request received");
authorize_SS_API_caller_socket(client_sockfd, API_MIDDLEWARE, API_RULE_REQUIRED);
//pass data size to function
process_pid_privilege_check(client_sockfd, basic_hdr.msg_len);
break;
+#endif
case SECURITY_SERVER_MSG_TYPE_TOOL_REQUEST:
SEC_SVR_DBG("%s", "launch tool request received");
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file client-check-privilege-by-pid.cpp
+ * @author Jan Cybulski (j.cybulski@samsung.com)
+ * @version 1.0
+ * @brief This file constains implementation of security-server API for
+ * checking privilege by process id.
+ */
+
+#include <stdio.h>
+
+#include <dpl/log/log.h>
+#include <dpl/exception.h>
+
+#include <socket-buffer.h>
+#include <client-common.h>
+#include <protocols.h>
+#include <smack-check.h>
+
+#include <security-server.h>
+#include <security-server-common.h>
+
+#ifndef USE_SEC_SRV1_FOR_CHECK_PRIVILEGE_BY_PID
+SECURITY_SERVER_API
+int security_server_check_privilege_by_pid(
+ int pid,
+ const char *object,
+ const char *access_rights) {
+ using namespace SecurityServer;
+ try {
+ if (1 != smack_check())
+ return SECURITY_SERVER_API_SUCCESS;
+
+ SocketBuffer send, recv;
+ Serialization ser;
+ ser.Serialize(send, pid);
+ ser.Serialize(send, std::string(object));
+ ser.Serialize(send, std::string(access_rights));
+
+ int result = sendToServer(
+ SERVICE_SOCKET_PRIVILEGE_BY_PID,
+ send.Pop(),
+ recv);
+
+ if (result != SECURITY_SERVER_API_SUCCESS)
+ return result;
+
+ Deserialization des;
+ des.Deserialize(recv, result);
+ return result;
+ } catch (SocketBuffer::Exception::Base &e) {
+ LogDebug("SecurityServer::SocketBuffer::Exception " << e.DumpToString());
+ } catch (std::exception &e) {
+ LogDebug("STD exception " << e.what());
+ } catch (...) {
+ LogDebug("Unknown exception occured");
+ }
+ return SECURITY_SERVER_API_ERROR_UNKNOWN;
+}
+#endif
+
"/tmp/security-server-api-echo.sock";
char const * const SERVICE_SOCKET_GET_GID =
"/tmp/.security-server-api-get-gid.sock";
+char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID =
+ "/tmp/.security-server-api-privilege-by-pid";
} // namespace SecurityServer
extern char const * const SERVICE_SOCKET_SHARED_MEMORY;
extern char const * const SERVICE_SOCKET_ECHO;
extern char const * const SERVICE_SOCKET_GET_GID;
+extern char const * const SERVICE_SOCKET_PRIVILEGE_BY_PID;
} // namespace SecuritySever
#include <data-share.h>
#include <get-gid.h>
+#include <privilege-by-pid.h>
#include <echo.h>
IMPLEMENT_SAFE_SINGLETON(SecurityServer::Log::LogSystem);
getGidService->Create();
manager.RegisterSocketService(getGidService);
+ SecurityServer::PrivilegeByPidService *privByPidService = new SecurityServer::PrivilegeByPidService;
+ privByPidService->Create();
+ manager.RegisterSocketService(privByPidService);
+
manager.MainLoop();
}
UNHANDLED_EXCEPTION_HANDLER_END
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*
+ * @file privilege-by-pid.cpp
+ * @author Jan Cybulski (j.cybulski@samsung.com)
+ * @version 1.0
+ * @brief Implementation of check-privilege-by-pid service.
+ */
+
+#include <sys/smack.h>
+
+#include <dpl/log/log.h>
+#include <dpl/serialization.h>
+
+#include <protocols.h>
+#include <privilege-by-pid.h>
+
+#include <security-server.h>
+#include <security-server-util.h>
+#include <smack-check.h>
+
+#include <privilege-control.h>
+
+
+namespace {
+// Service may open more than one socket.
+// These ID's will be assigned to sockets
+// and will be used only by service.
+// When new connection arrives, AcceptEvent
+// will be generated with proper ID to inform
+// service about input socket.
+//
+// Please note: SocketManaged does not use it and
+// does not check it in any way.
+//
+// If your service require only one socket
+// (uses only one socket labeled with smack)
+// you may ignore this ID (just pass 0)
+const int SERVICE_SOCKET_ID = 0;
+
+} // namespace anonymous
+
+namespace SecurityServer {
+
+GenericSocketService::ServiceDescriptionVector PrivilegeByPidService::GetServiceDescription() {
+ ServiceDescription sd = {
+ "*",
+ SERVICE_SOCKET_ID,
+ SERVICE_SOCKET_PRIVILEGE_BY_PID
+ };
+ ServiceDescriptionVector v;
+ v.push_back(sd);
+ return v;
+}
+
+void PrivilegeByPidService::accept(const AcceptEvent &event) {
+ LogDebug("Accept event. ConnectionID.sock: " << event.connectionID.sock
+ << " ConnectionID.counter: " << event.connectionID.counter
+ << " ServiceID: " << event.interfaceID);
+}
+
+void PrivilegeByPidService::write(const WriteEvent &event) {
+ LogDebug("WriteEvent. ConnectionID: " << event.connectionID.sock <<
+ " Size: " << event.size << " Left: " << event.left);
+ if (event.left == 0)
+ m_serviceManager->Close(event.connectionID);
+}
+
+bool PrivilegeByPidService::readOne(const ConnectionID &conn, SocketBuffer &buffer) {
+ LogDebug("Iteration begin");
+
+
+ int retval;
+ int pid;
+ std::string object;
+ std::string access_rights;
+
+
+ int retCode = SECURITY_SERVER_API_ERROR_SERVER_ERROR;
+
+
+ if (!buffer.Ready()) {
+ LogDebug("Got part of message. Service is waiting for the rest.");
+ return false;
+ }
+
+ Try {
+ SecurityServer::Deserialization des;
+ des.Deserialize(buffer, pid);
+ des.Deserialize(buffer, object);
+ des.Deserialize(buffer, access_rights);
+ } Catch (SocketBuffer::Exception::Base) {
+ LogDebug("Broken protocol. Closing socket.");
+ m_serviceManager->Close(conn);
+ return false;
+ }
+
+ if (smack_check()) {
+ char subject[SMACK_LABEL_LEN + 1];
+ subject[0]='\0';
+ retval = smack_pid_have_access(pid, object.c_str(), access_rights.c_str());
+ LogDebug("smack_pid_have_access returned " << retval);
+
+ if (get_smack_label_from_process(pid, subject) != PC_OPERATION_SUCCESS) {
+ // subject label is set to empty string
+ LogError("get_smack_label_from_process failed. Subject label has not been read.");
+ } else {
+ SECURE_SLOGD("Subject label of client PID %d is: %s", pid, subject);
+ }
+ } else {
+ LogDebug("SMACK is not available. Subject label has not been read.");
+ retval = 1;
+ }
+
+ char *path = read_exe_path_from_proc(pid);
+
+ if (retval > 0)
+ SECURE_SLOGD("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+ else
+ SECURE_SLOGW("SS_SMACK: caller_pid=%d, subject=%s, object=%s, access=%s, result=%d, caller_path=%s", pid, subject, object, access_rights, retval, path);
+
+ if (path != NULL)
+ free(path);
+
+ if (retval == 1) //there is permission
+ retCode = SECURITY_SERVER_API_SUCCESS;
+ else //there is no permission
+ retCode = SECURITY_SERVER_API_ERROR_ACCESS_DENIED;
+
+ SecurityServer::Serialization ser;
+ SocketBuffer sendBuffer;
+ ser.Serialize(sendBuffer, retCode);
+ m_serviceManager->Write(conn, sendBuffer.Pop());
+ return true;
+}
+
+void PrivilegeByPidService::read(const ReadEvent &event) {
+ LogDebug("Read event for counter: " << event.connectionID.counter);
+ auto &buffer = m_socketBufferMap[event.connectionID.counter];
+ buffer.Push(event.rawBuffer);
+
+ LogDebug("Pushed to buffer ptr: " << (void*)&buffer);
+ // We can get several requests in one package.
+ // Extract and process them all
+ while(readOne(event.connectionID, buffer));
+}
+
+void PrivilegeByPidService::close(const CloseEvent &event) {
+ LogDebug("CloseEvent. ConnectionID: " << event.connectionID.sock);
+ m_socketBufferMap.erase(event.connectionID.counter);
+}
+
+void PrivilegeByPidService::error(const ErrorEvent &event) {
+ LogDebug("ErrorEvent. ConnectionID: " << event.connectionID.sock);
+ m_serviceManager->Close(event.connectionID);
+}
+
+} // namespace SecurityServer
+
--- /dev/null
+/*
+ * Copyright (c) 2000 - 2013 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Contact: Bumjin Im <bj.im@samsung.com>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+/*hcpp
+ * @author Jan Cybulski (j.cybulski@samsung.com)
+ * @version 1.0
+ * @brief Implementation of api-check-privilege-by-pid
+ */
+
+#ifndef _SECURITY_SERVER_PRIVILEGE_BY_PID_
+#define _SECURITY_SERVER_PRIVILEGE_BY_PID_
+
+#include <service-thread.h>
+#include <generic-socket-manager.h>
+
+#include <socket-buffer.h>
+
+namespace SecurityServer {
+
+class PrivilegeByPidService
+ : public SecurityServer::GenericSocketService
+ , public SecurityServer::ServiceThread<PrivilegeByPidService>
+{
+public:
+ typedef std::map<int, SocketBuffer> SocketBufferMap;
+
+ ServiceDescriptionVector GetServiceDescription();
+
+ DECLARE_THREAD_EVENT(AcceptEvent, accept)
+ DECLARE_THREAD_EVENT(WriteEvent, write)
+ DECLARE_THREAD_EVENT(ReadEvent, read)
+ DECLARE_THREAD_EVENT(CloseEvent, close)
+ DECLARE_THREAD_EVENT(ErrorEvent, error)
+
+ void accept(const AcceptEvent &event);
+ void write(const WriteEvent &event);
+ void read(const ReadEvent &event);
+ void close(const CloseEvent &event);
+ void error(const ErrorEvent &event);
+private:
+ bool readOne(const ConnectionID &conn, SocketBuffer &buffer);
+
+ SocketBufferMap m_socketBufferMap;
+};
+
+} // namespace SecurityServer
+
+#endif // _SECURITY_SERVER_DATA_SHARE_
${CMAKE_SOURCE_DIR}/systemd/security-server.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-data-share.socket
${CMAKE_SOURCE_DIR}/systemd/security-server-get-gid.socket
+ ${CMAKE_SOURCE_DIR}/systemd/security-server-privilege-by-pid.socket
DESTINATION
/usr/lib/systemd/system
)
--- /dev/null
+[Socket]
+ListenStream=/tmp/.security-server-api-privilege-by-pid
+SocketMode=0777
+SmackLabelIPIn=*
+SmackLabelIPOut=@
+
+Service=security-server.service
+
+[Install]
+WantedBy=sockets.target
Sockets=security-server.socket
Sockets=security-server-data-share.socket
Sockets=security-server-get-gid.socket
+Sockets=security-server-privilege-by-pid.socket
[Install]
WantedBy=multi-user.target